On February 6, the New York Times published a potent and timely article, How the United States Lost to Hackers, with the subhead, “America’s biggest vulnerability in cyberwarfare is hubris.” It’s a compelling read that both sketches a threat landscape long known to cybersecurity and data protection experts, and includes accounts of some exploits that have never been published.
Two key points from the piece are summed up in the following excerpts:
“At this very moment, we are getting hacked from so many sides that it has become virtually impossible to keep track, let alone inform the average American reader who is trying to grasp a largely invisible threat that lives in code, written in language that most of us will never fully understand . . . More hacking, more offense, not better defense, was our [government’s] answer to an increasingly virtual world order, even as we made ourselves more vulnerable, hooking up water treatment facilities, railways, thermostats and insulin pumps to the web, at a rate of 127 new devices per second.”
Take-away: Network hacks and data exploits against the U.S. government and businesses are now so widespread that our defenses often become overwhelmed. Part of the reason for the ubiquity of the hacks is that our official U.S. response has largely focused on offense, not defense.
“Only when the N.S.A.’s tools were hacked in 2017, then used against us, could we see how broken the trade-off between offense and defense had become. The agency had held onto a critical vulnerability in Microsoft for more than five years, turning it over to Microsoft only after the N.S.A. was hacked . . . By then it was too late. Businesses, schools and hospitals had yet to patch the hole when North Korea used it to attack one month later, or even two months later, when Russia baked it into a cyberattack that decimated vaccine supplies at Merck, cost FedEx $400 million and prevented doctors from accessing patient records.”
Take-away: The U.S.’s offensive-first strategy has had a direct impact on vertical markets that are at the crux of protecting the American people’s most important assets. Financial services, healthcare, and education institutions steward our money, our health, and our children’s development. Those institutions face ongoing attacks.
The U.S. does possess tools and expertise to play better defense, but that can’t happen overnight. Pandora’s box is open. Acknowledging the threat and acting accordingly is what’s necessary in the present.
The Defense of Data: Key Vertical Markets Share Realities
In this pervasive threat landscape, data’s protection and its recovery in the event of natural or human-caused disaster are inextricably linked. They are both part of a robust defensive strategy that prepares institutions for worst case scenarios. Storms, fires, power outages, and other disasters that destroy machines, systems, and data are in the news every year. However, malicious destruction and ransoming of data by bad actors are in the news almost every week! And they’re on an aggressive upward trajectory.
Recent revelations about SUNBURST code and AMNESIA-33 vulnerabilities have renewed a sense of urgency among business and government stakeholders. As the NYT article notes, condemning those who have been raising the alarm as “sowers of FUD” (fear, uncertainty, and doubt) has illustrated the collective hubris. It’s not a FUD mindset, but rather an informed and practical business sense that acknowledges risk. Institutions acknowledging such risk exist in a when, not if, scenario regarding data compromise and/or loss. Therefore, it’s not surprising that the CAGR (compound annual growth rate) for “global disaster recovery as a service (DRaaS) grew more than 30% during 2014-2019,” and subsequent growth is predicted to continue over the next five years, according to a 2020 IMARC Group report.
The particulars of a DRaaS offering can vary, but fundamentally it’s a solution that replicates to, and recovers physical or virtual servers in, data centers managed and maintained by a third-party. With Disaster Recover (DR) now a necessity for SMBs, mid-markets, enterprises, and nonprofits across vertical markets, most organizations understand its importance, and factor DR or DRaaS offerings into their budgets as a non-discretionary cost.
Below, we take a closer look into the specific data realities for the vertical markets that touch most people directly via their money, health, and kids. When those things are attacked, recovering known good data is a non-negotiable part of defense.
Realities Specific to Financial Services
The digital transformation of financial institutions has only accelerated during the pandemic, as with other sectors. The proliferation of open banking and open finance platforms and the corresponding expansion of programmatic access usage (e.g., via APIs and SDKs) has compounded the risks to customer data. The situation requires extraordinary attention to guardrails and worst-case-scenario responses. Indeed, regulatory scrutiny and mandates surrounding financial data have intensified in recent years and are only likely to expand with increased federal data protection legislation on the horizon in the U.S.
Now add this truth: deep-seated trust must exist between clients and financial services companies. Any risk to that trust is an existential concern. But the Boston Consulting Group reports that “banking and financial institutions are 300 times more likely to be at risk of a cyberattack than other companies.”
Financial services companies need multiple layers of encryption, robust cloud security features, and immediate failover to prevent disruption and data loss. Seconds, not minutes, matter in disaster recovery scenarios for the financial sector. Consequences include a failed economy, and the potential for personal financial ruin for millions of people. It’s important to remember that many banks and credit unions maintain branches within various geographic regions. If a natural catastrophe occurs, multiple branches may simultaneously lose critical processing capabilities.
When disaster recovery is not needed as an emergency response, businesses must still prove that they are prepared for the worst, by addressing compliance audits and exams. Disaster recovery testing should be easy and efficient, but often it’s neither. Organizations continue to look for ways to improve their capabilities without a huge investment of time or resources.
Realities Specific to Healthcare
The NotPetya attack that destroyed vast quantities of computer data and data operations at Merck in 2017 (and at many other businesses) and the subsequent insurance fight was an eye-opener for all healthcare organizations. According to Bloomberg, “NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer.” The case illustrated how data protection and recovery both need to be fundamental parts of a cyber defense strategy.
During the pandemic, vicious cyber attacks on hospitals have resulted in vast amounts of exposed, compromised, and lost patient data. Since November, one report indicates that healthcare organizations have seen a 45% increase in cyberattacks. Callous criminal hackers view the need for intact healthcare data, during a time of human suffering, as an opportunity to exploit.
In addition to the surge in attacks, healthcare app ecosystems are expanding rapidly, just like financial sector ecosystems. Apps are conveying sensitive electronic health records (EHR) and other patient and provider data. The regulatory requirements of the Health Insurance Portability and Accountability Act (HIPAA) govern this expanding environment. HIPAA protects patient information across a striking array of healthcare services and players. Those include: hospitals and health systems, private practice and specialty care, emergency medical services, pharmacies and pharmacy information systems (PIS) vendors, life science organizations, EHR and hospital information system (HIS) vendors, payers and pharmacy benefit managers (PBMs), insurers, and, perhaps most importantly, patients and caregivers.
Realities Specific to Education
While the pandemic resulted in major workforce adaptations across verticals, its impact on education has been nothing short of profound. Many schools have been leveraging learning management systems and take-home computers with preloaded software for well over a decade. But the lack of in-person contact between teachers and students, especially younger students, has consequences that are difficult to predict. The urgency to pivot back to a hybrid model has been palpable. From a data perspective, remote and hybrid learning models do not seem to pose life-altering challenges, but the reality is more complicated.
Student record maintenance, registration and grade reporting, curricula and instructional material, ERP and CRM systems used for compiling and processing student data, HR and payroll, institutional financial data, and proprietary research all require data integrity. They also require alignment with the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records and governs access to other forms of educational information.
Across the U.S., many public school districts, as well as parish and independent schools, still rely on legacy computing systems. These systems remain easy targets for hackers with grudges and relatively rudimentary skills. Disruptions and data loss can cost taxpayers millions of dollars, educators mountains of time, and students important opportunities. Fast failover and recovered data in a school system ultimately upholds continuity in learning and public trust.
It’s not only Americans’ money, health, and children being attacked. Just one week ago, a hacker tried to poison a public water supply in Pinellas County, Florida. By remotely taking control of a computer, the hacker increased the amount of sodium hydroxide — lye — in the water. Fortunately, a water treatment plant supervisor caught the change in chemical levels and corrected the problem before it created a public danger. But it’s a chilling example of cyber threats to public infrastructure that will yield tragic results if not immediately contained.
Amid escalated threats, honestly confronting cyber realities common across all verticals as well as those specific to each particular one is a first step in bolstering cyber defensive strategies. The next step is choosing the data protection and recovery tools and services that are best suited to a particular vertical environment and that will work in tandem in a disaster — whether human-hacked or nature-caused.